fixing single anp conns compute when ingress and egress are intersect…

…ed (not fully matched)
np-guard · Aug 15, 2024 · 813bf1b · 813bf1b
1 parent e168f41
commit 813bf1b
Show file tree

Hide file tree

Showing 6 changed files with 251 additions and 4 deletions.
diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go
@@ -1229,4 +1229,10 @@ var goodPathTests = []struct {
 		testDirName:   "anp_test_multiple_anps",
 		outputFormats: ValidFormats,
 	},
+	{
+		// test with an anp where ingress and egress sections are not fully matched,
+		// need to consider intersection before collecting other policies conns
+		testDirName:   "anp_test_ingress_egress_intersection",
+		outputFormats: []string{output.TextFormat},
+	},
 }
diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
@@ -522,25 +522,33 @@ func (pe *PolicyEngine) getAllConnsFromAdminNetpols(src, dst k8s.Peer) (anpsConn
 	policiesConns := k8s.InitEmptyPolicyConnections()
 	// iterate the related sorted admin network policies in order to compute the allowed, pass, and denied connections between the peers
 	for _, anp := range adminNetpols {
+		singleANPConns := k8s.InitEmptyPolicyConnections()
 		// collect the allowed, pass, and denied connectivity from the relevant rules into policiesConns
 		// note that anp may capture both the src and dst (by namespaces field), so both ingress and egress sections might be helpful
 
 		// if the anp captures the src, get the relevant egress conns between src and dst
 		if srcAdminNetpols[anp] {
-			policyConnsPerDirection, err := anp.GetEgressPolicyConns(dst)
+			singleANPConns, err = anp.GetEgressPolicyConns(dst)
 			if err != nil {
 				return nil, false, err
 			}
-			policiesConns.CollectANPConns(policyConnsPerDirection)
 		}
 		// if the anp captures the dst, get the relevant ingress conns (from src to dst)
 		if dstAdminNetpols[anp] {
-			policyConnsPerDirection, err := anp.GetIngressPolicyConns(src, dst)
+			ingressConns, err := anp.GetIngressPolicyConns(src, dst)
 			if err != nil {
 				return nil, false, err
 			}
-			policiesConns.CollectANPConns(policyConnsPerDirection)
+			// get the intersection of ingress and egress sections if also the src was captured
+			if srcAdminNetpols[anp] {
+				singleANPConns.AllowedConns.Intersection(ingressConns.AllowedConns)
+				singleANPConns.DeniedConns.Union(ingressConns.DeniedConns)
+				singleANPConns.PassConns.Union(ingressConns.PassConns)
+			} else { // only dst is captured by anp
+				singleANPConns = ingressConns
+			}
 		}
+		policiesConns.CollectANPConns(singleANPConns)
 	}
 
 	if policiesConns.IsEmpty() { // conns between src and dst were not captured by the adminNetpols, to be determined by netpols/default conns

diff --git a/test_outputs/connlist/anp_test_ingress_egress_intersection_connlist_output.txt b/test_outputs/connlist/anp_test_ingress_egress_intersection_connlist_output.txt
@@ -0,0 +1,30 @@
+0.0.0.0-255.255.255.255 => bar-ns/bar[Deployment] : All Connections
+0.0.0.0-255.255.255.255 => foo-ns-1/foo[Deployment] : All Connections
+0.0.0.0-255.255.255.255 => foo-ns-2/foo[Deployment] : All Connections
+0.0.0.0-255.255.255.255 => kube-system/kube-dns[Deployment] : All Connections
+0.0.0.0-255.255.255.255 => monitoring-ns/monitoring[Deployment] : All Connections
+bar-ns/bar[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+bar-ns/bar[Deployment] => foo-ns-1/foo[Deployment] : UDP 5353
+bar-ns/bar[Deployment] => foo-ns-2/foo[Deployment] : UDP 5353
+bar-ns/bar[Deployment] => kube-system/kube-dns[Deployment] : UDP 5353
+bar-ns/bar[Deployment] => monitoring-ns/monitoring[Deployment] : UDP 5353
+foo-ns-1/foo[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+foo-ns-1/foo[Deployment] => bar-ns/bar[Deployment] : UDP 5353
+foo-ns-1/foo[Deployment] => foo-ns-2/foo[Deployment] : UDP 5353
+foo-ns-1/foo[Deployment] => kube-system/kube-dns[Deployment] : UDP 5353
+foo-ns-1/foo[Deployment] => monitoring-ns/monitoring[Deployment] : UDP 5353
+foo-ns-2/foo[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+foo-ns-2/foo[Deployment] => bar-ns/bar[Deployment] : UDP 5353
+foo-ns-2/foo[Deployment] => foo-ns-1/foo[Deployment] : UDP 5353
+foo-ns-2/foo[Deployment] => kube-system/kube-dns[Deployment] : UDP 5353
+foo-ns-2/foo[Deployment] => monitoring-ns/monitoring[Deployment] : UDP 5353
+kube-system/kube-dns[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+kube-system/kube-dns[Deployment] => bar-ns/bar[Deployment] : UDP 5353
+kube-system/kube-dns[Deployment] => foo-ns-1/foo[Deployment] : UDP 5353
+kube-system/kube-dns[Deployment] => foo-ns-2/foo[Deployment] : UDP 5353
+kube-system/kube-dns[Deployment] => monitoring-ns/monitoring[Deployment] : UDP 5353
+monitoring-ns/monitoring[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+monitoring-ns/monitoring[Deployment] => bar-ns/bar[Deployment] : UDP 5353
+monitoring-ns/monitoring[Deployment] => foo-ns-1/foo[Deployment] : UDP 5353
+monitoring-ns/monitoring[Deployment] => foo-ns-2/foo[Deployment] : UDP 5353
+monitoring-ns/monitoring[Deployment] => kube-system/kube-dns[Deployment] : UDP 5353
diff --git a/tests/anp_test_ingress_egress_intersection/anp.yaml b/tests/anp_test_ingress_egress_intersection/anp.yaml
@@ -0,0 +1,26 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: cluster-allow-example
+spec:
+  priority: 30
+  subject:
+    namespaces: {}
+  ingress:
+    - action: Allow
+      from:
+      - namespaces: {}
+      ports:
+        - portNumber:
+            protocol: UDP
+            port: 5353
+    - action: Deny # deny others
+      from:
+      - namespaces: {}
+  egress:
+    - action: Allow
+      to:
+      - namespaces:
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: foo-ns-2
diff --git a/tests/anp_test_ingress_egress_intersection/deployments.yaml b/tests/anp_test_ingress_egress_intersection/deployments.yaml
@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foo-ns-1
+spec: {}
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foo-ns-2
+spec: {}
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar-ns
+spec: {}
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring-ns
+spec: {}
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: foo
+  namespace: foo-ns-1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: foo
+  template:
+    metadata:
+      labels:
+        app: foo
+    spec:
+      containers:
+      - name: foo
+        image: netpol/example1
+        args:
+        - -name
+        - foo
+        - -port
+        - "5698"
+        ports:
+        - name: http
+          containerPort: 5698
+          protocol: TCP
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: foo
+  namespace: foo-ns-2
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: foo
+  template:
+    metadata:
+      labels:
+        app: foo
+    spec:
+      containers:
+      - name: foo
+        image: netpol/example1
+        args:
+        - -name
+        - foo
+        - -port
+        - "5698"
+        ports:
+        - name: http
+          containerPort: 5698
+          protocol: TCP
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bar
+  namespace: bar-ns
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: bar
+  template:
+    metadata:
+      labels:
+        app: bar
+    spec:
+      containers:
+      - name: bar
+        image: netpol/example1
+        args:
+        - -name
+        - bar
+        - -port
+        - "8956"
+        ports:
+        - name: http
+          containerPort: 8956
+          protocol: TCP
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: monitoring
+  namespace: monitoring-ns
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: monitoring
+  template:
+    metadata:
+      labels:
+        app: bar
+    spec:
+      containers:
+      - name: monitoring
+        image: netpol/example1
+        args:
+        - -name
+        - monitoring
+        - -port
+        - "8956"
+        ports:
+        - name: http
+          containerPort: 8956
+          protocol: TCP
+---
diff --git a/tests/anp_test_ingress_egress_intersection/kube_system_pod.yaml b/tests/anp_test_ingress_egress_intersection/kube_system_pod.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+spec: {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-dns
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kube-dns
+  template:
+    metadata:
+      labels:
+        app: kube-dns
+    spec:
+      containers:
+      - name: kube-dns
+        image: netpol/example2
+        args:
+        - -name
+        - kube-dns
+        - -port
+        - "5698"
+        ports:
+        - name: http
+          containerPort: 5698
+          protocol: TCP
+---